SAML Assertions


Digital Assertions as in SAML#

An assertion is a package of information that supplies one or more statements made by a SAML authority. SAML defines three different kinds of assertion statement that can be created by a SAML authority.

SAML assertions are compounds of one or more of three kinds of "statement" about Digital Subject (human or program):

SAML can be extended to incorporate many kinds of assertions and statements

Assertions can, and probably should, be digitally signed

Common information#

All SAML assertions share some common information:
  • Assertion ID - Who is making the Claim
  • Issuer ID and issuance timestamp
  • Subject - The Digital Subject that the claims are about
    • Name plus the security domain
    • Optional subject confirmation, e.g. public key
  • "Conditions" under which assertion is valid
    • SAML clients must reject assertions containing unsupported conditions
    • Special kind of condition: assertion validity period
  • Additional "advice" - E.g., to explain how the assertion was made

SAML assertion Structure Image #

The outer structure of an assertion is generic, providing information that is common to all of the statements within it. Within an assertion, a series of inner elements describe the SAML Authentication Statement, SAML Attribute Statement, SAML Authorization Decision Statement, or user-defined statements containing the specifics.

The diagram below illustrates the high-level structure of a typical SAML authentication assertion.

Sample common information assertion#

    MajorVersion="1" MinorVersion="0"
        .. a variety of elements can go here..
    ...statements go here...
The saml: namespace corresponds to an XML Schema that just focuses on assertions.So far, we have decided that unique identifiers like AssertionID are essentially opaque to SAML; it’s up to you to ensure that they’re unique in the domain you care about.

More Information#

There might be more information for this subject on one of the following: